US11818150B2ActiveUtilityA1

System and methods for detecting and mitigating golden SAML attacks against federated services

74
Assignee: QOMPLX INCPriority: Oct 28, 2015Filed: Oct 27, 2022Granted: Nov 14, 2023
Est. expiryOct 28, 2035(~9.3 yrs left)· nominal 20-yr term from priority
H04L 63/1416H04L 63/0876H04L 63/1425H04L 63/1466H04L 9/3239H04L 63/0815H04L 63/1433H04L 63/126
74
PatentIndex Score
0
Cited by
39
References
12
Claims

Abstract

A system and methods for detecting and mitigating golden SAML attacks against federated services is provided, comprising an authentication object inspector configured to observe a new authentication object generated by an identity provider, and retrieve the new authentication object; and a hashing engine configured to create a security cookie for each valid authentication session; wherein subsequent access requests accompanied by authentication objects are validated by checking for a valid security cookie.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system for detecting and mitigating golden Security Assertion Markup Language (SAML) attacks against federated services, comprising:
 a computing device comprising a memory and a processor; 
 an authentication object inspector comprising a first plurality of programming instructions stored in the memory which, when operating on the processor, causes the computing device to:
 receive network traffic comprising a plurality of network packets, the plurality of network packets comprising a first authentication object for a user of a federated service, the first authentication object comprising a first identification string known to be generated by an identity provider associated with the federated service; 
 store a record of the first authentication object, with attached metadata comprising a timestamp of when the first authentication object was received, in a time-series database; 
 generate a security cookie for the first authentication object; 
 provide the security cookie to the identity provider from which the first authentication object was generated for inclusion in additional authentication objects issued to the user; 
 receive a request for access to the federated service by the user accompanied by a second authentication object comprising a second identification string and the security cookie; 
 compare a value of the second identification string of the second authentication object against a value of the second identification string of the stored record of the first authentication object; 
 
 check the second authentication object for the security cookie; and
 generate an authentication failure if the security cookie is missing or invalid. 
 
 
     
     
       2. The system of  claim 1 , further comprising a hashing engine comprising a second plurality of programming instructions stored in the memory of, and operating on the processor of, the computing device, wherein the second plurality of programmable instructions, when operating on the processor, cause the computing device to:
 receive authentication objects from the authentication object inspector; 
 calculate security cookies for authentication objects received by performing a plurality of calculations and transformations on each authentication object received; and 
 return the security cookies for authentication objects received to the authentication object inspector. 
 
     
     
       3. The system of  claim 1 , wherein the authentication object inspector is operated by the identity provider. 
     
     
       4. The system of  claim 2 , wherein the authentication object inspector is operated by the identity provider. 
     
     
       5. The system of  claim 1 , wherein the authentication object inspector is operated by a client device communicating with the identity provider over a network. 
     
     
       6. The system of  claim 2 , wherein the authentication object inspector is operated by a client device communicating with the identity provider over a network. 
     
     
       7. A method for detecting and mitigating golden Security Assertion Markup Language (SAML) attacks against federated services, comprising:
 using an authentication object inspector operating on a computing device comprising a memory and a processor to:
 receive network traffic comprising a plurality of network packets, the plurality of network packets comprising a first authentication object for a user of a federated service, the first authentication object comprising a first identification string known to be generated by an identity provider associated with the federated service; 
 store a record of the first authentication object, with attached metadata comprising a timestamp of when the first authentication object was received, in a time-series database; 
 generate a security cookie for the first authentication object; 
 provide the security cookie to the identity provider from which the first authentication object was generated for inclusion in additional authentication objects issued to the user; 
 receive a request for access to the federated service by the user accompanied by a second authentication object comprising a second identification string and the security cookie; 
 compare a value of the second identification string of the second authentication object against a value of the second identification string of the stored record of the first authentication object; 
 check the second authentication object for the security cookie; and 
 generate an authentication failure if the security cookie is missing or invalid. 
 
 
     
     
       8. The method of  claim 7 , further comprising the steps of:
 using a hashing engine operating on a computing device comprising a memory and a processor to:
 receive authentication objects from the authentication object inspector; 
 calculate security cookies for authentication objects received by performing a plurality of calculations and transformations on each authentication object received; and 
 return the security cookies for authentication objects received to the authentication object inspector. 
 
 
     
     
       9. The method of  claim 7 , wherein the authentication object inspector is operated by the identity provider. 
     
     
       10. The method of  claim 8 , wherein the authentication object inspector is operated by the identity provider. 
     
     
       11. The method of  claim 7 , wherein the authentication object inspector is operated by a client device communicating with the identity provider over a network. 
     
     
       12. The method of  claim 8 , wherein the authentication object inspector is operated by a client device communicating with the identity provider over a network.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.